Solved

NTFS permission

Posted on 2010-09-13
7
751 Views
Last Modified: 2013-12-04
We failed on backup job due to many Access Denied files.
Because there are many folders/files, it is impossible to add it one by one manually.
How can we add domain admins group to all folders/files with out affect existing NTFS security permissions?
We are using 2003R2 server in AD environment.
Thank you.
0
Comment
Question by:dickchan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33668672
sounds like you may need to revisit the entire structure of your security and inheritance etc.

If you add the admin at the root you still wont have access to folders where the admin has been removed, and inheritance turned off.

0
 
LVL 63

Accepted Solution

by:
SysExpert earned 100 total points
ID: 33668695
Backup Admin should always have access to everything, and  you need to make sure it is set that way.

CACLS and similar may be helpful.
test carefully before implementing.

I hope this helps !
0
 
LVL 6

Assisted Solution

by:avishar
avishar earned 100 total points
ID: 33668705
Use "modacl" , using this utility you can apply/remove permission of a group recursively or otherwise on a folder without affecting the existing permission.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 6

Expert Comment

by:avishar
ID: 33668745
If you decide to use modacl then download SuperCACLs 3.0 from Trusted Systems Services..
0
 
LVL 4

Assisted Solution

by:majidhajali
majidhajali earned 100 total points
ID: 33668875
Users of Backup Operators group have access to all files and folders whether they have NTFS permission on that folder/file or not. I suggest you create a user and put that user in Backup Operators group and run the backup tasks with delegation of that user.
0
 
LVL 4

Assisted Solution

by:ashaw2009
ashaw2009 earned 100 total points
ID: 33669071
Firstly check what account you are using to run the backup job, then add that account to the local servers backup operators group:
Start > Run > compmgmt.msc > System Tools > Local Users and Groups > backup operators

Second check your VSS writers are stable.
Start >run> CMD > Vssadmin List Writers
Each writer should come back as Stable and No errors. If the writers are in a failed state you may need to restart the server or take further action.

Third check the Volume shadow copy service is set to start Manually and the logon account is the system account:

Start >run>services.msc>Volume Shadow Copy service
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 100 total points
ID: 33669225
I would recommend SubInACL from Microsoft. It is easy in use and very powerful. You can download it at
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question